There are a ton of Managed Detection & Response (MDR) services out there, but breaking them down in plain English so you know what you’re really getting is a bit tougher. Here’s what we do as a baseline reference for you…and if a solution you’re evaluating doesn’t do any of these, I would walk.
Step 1: Asset Discovery
You can’t protect what you don’t know is connected to your network.
- What devices are on my network?
- What are my users doing?
- What vulnerabilities exist in my network?
- Are there known attackers trying to interact with my network?
- Are there active threats in my network?
Our service discovers all IP-enabled devices on your network, how they’re configured, and any potential vulnerabilities and active threats being executed against them. We leverage both Passive Network Monitoring, which highlights hosts on your network and their installed software packages, and Active Network Scanning to gently probe your network to coax responses from devices that provide clues identifying the device, the OS, running services and installed software.
All of this gives you visibility into your environment, which is the first step in really getting a handle on cybersecurity and how to do it well at your organization.
Step 2: Behavioral Monitoring
MDR services are only as good as the attacks they can keep up with; that’s why context is critical when analyzing system and network behavior. You need to be able to identify what’s normal activity for your environment and what’s suspicious for further digging.
A multi-layered approach to identifying threats is the only way to be successful. Standard intrusion detection systems are great because they identify known threats, but in order to uncover anomalies that might signal new and unknown threats, you need network behavior analysis.
- We continuously probe devices to confirm the services installed on those devices are still running and available; this helps us detect unexpected service outages throughout your critical infrastructure.
- We monitor administrative privileges activity across your on-premise and cloud environments to eliminate any unauthorized changes that could lead to a major breach.
- We also look for access to network resources from unfamiliar countries, as well as activity like creating and deleting mailboxes and/or rules.
- Finally, we keep an eye on creation and/or changes to Active Directory objects and security groups.
Step 3: Assessing & Responding to Vulnerabilities
You don’t know what you don’t know, which is to say you can’t identify your blind spots without regular vulnerability scans. We recommend scans at least once a month, and our more sophisticated clients conduct weekly scans. Here’s what matters to us when it comes to the scanning of your environment:
- After we conduct your scans, we prioritize your vulnerabilities for you. This is huge – it’s the dirty work of sifting through false positives, the severity of all your vulnerabilities, and then mapping that severity to your environment to ensure you know where to spend your time remediating.
- Following on this, we then provide concrete guidance on how to remediate those vulnerabilities with minimal disruption to your operations (think your patching cycles, etc).
- It’s worth noting, if you also use Agio for certain Managed IT services, we execute your remediation activities for you. We become your one-stop-shop for keeping you secure and making sure your infrastructure stays up and running smoothly.
- If we’re not your IT department, we still track your remediation efforts so if there’s something that’s slipped from last month to this month, we bubble it up in our monthly posture report meeting with you.
Vulnerability scanning is arguably a commodity service at this point, but what makes our scans different from the scanning our competitors do, is our service. We actually walk you through what the vulnerabilities mean and how they impact your business. This allows our clients to use the scanning results as a way of understanding how secure they really are. Plus, you have full access to our portal so you can see your vulnerability data for yourself, eliminating the “black box” complaint we hear from so many people about other providers.
Step 4: Security Information & Event Management (SIEM)
SIEM solutions lie at the heart of any MDR service; collecting data from disparate technologies, normalizing it, centralizing alerts, and correlating events to tell you exactly what to focus on is the promise of SIEM. The resources and expertise to do all of that, however, is the equivalent to “batteries not included.”
Our MDR service sits on top of a best-in-breed platform (ranked 10 best SIEM products by Gartner), fueled by our 24x7x365 SOC to deliver the batteries, and much more. Hint: what’s in bold is why we get selected over other MSSPs.
- Integrated global real-time view of emerging threats and bad actors from Open Threat Exchange (OTX)
- Continuous updates, including new correlation directives, threat signatures, remediation guidance, etc.
- 2,000+ correlation rules, including Agio’s own rules tailored for your specific industry
- 24x7x365 SOC supported by experienced security engineers (not entry-level analysts)
- Full access to our platform so you can see exactly what’s going on at all times
- Reporting you can actually understand (not just a list of meaningless data that doesn’t tell a story)
- Monthly meetings to dig into your security posture and progress
- Incident Response
Threat detection, fueled by an Intrusion Detection System (IDS), is a huge part of your Managed Detection and Response (MDR) service and keeping you safe.
Step 5: Threat Detection
New research indicates you have a 66% chance of being hacked not once, but five times. Makes sense – hackers’ day job is to get into your environment, and your day job is well, your day job.
We got you. The platform our service sits on top of receives threat intelligence every 30 minutes from a threat research team, who spends countless hours analyzing the different types of attacks, emerging threats, suspicious behavior, vulnerabilities and exploits. We then systematically evaluate what these threats mean to your environment, so we can decide what’s real and what’s not.
This is where our service makes it easy – attacks are classified into five categories, providing you with contextual information to help you understand attack intent and threat severity, based on how the hackers are interacting with your network:
- System Compromise | This is when we see behavior indicating a compromised system inside your environment.
- Exploitation & Installation | When we discover behavior indicating a successful exploit of a vulnerability or backdoor/RAT being installed on one of your systems.
- Delivery & Attack | When we uncover behavior indicating an attempted delivery of an exploit.
- Reconnaissance & Probing | When a bad actor attempts to discover information about your network.
- Environmental Awareness | When we find policy violations, vulnerable software, or suspicious communications.
And that’s all she wrote when it comes to Managed Detection & Response (MDR). If this was helpful, we’d love to hear from you and continue the conversation. Email us at firstname.lastname@example.org.